Skip to content

zalun/Flask-pyoidc

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

94 Commits

example

example

 
 

src/flask_pyoidc

src/flask_pyoidc

 
 

tests

tests

 
 

.bumpversion.cfg

.bumpversion.cfg

 
 

.coveragerc

.coveragerc

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

setup.py

setup.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

Flask-pyoidc

PyPI codecov.io Build Status

This Flask extension provides simple OpenID Connect authentication, by using pyoidc. Currently only "Code Flow") is supported.

Usage

Provider and client configuration

Both static and dynamic provider configuration discovery, as well as static and dynamic client registration, is supported. The different modes of provider configuration can be combined with any of the client registration modes.

Dynamic provider configuration

To use a provider which supports dynamic discovery it suffices to specify the issuer URL:

auth = OIDCAuthentication(issuer='https://op.example.com')

Static provider configuration

To use a provider not supporting dynamic discovery, the static provider configuration can be specified:

provider_config = {
    'issuer': 'https://op.example.com',
    'authorization_endpoint': 'https://op.example.com/authorize',
    'token_endpoint': 'https://op.example.com/token',
    'userinfo_endpoint': 'https://op.example.com/userinfo'
}
auth = OIDCAuthentication(provider_configuration_info=provider_config)

See the OpenID Connect specification for more information about the provider metadata.

Static client registration

If you have already registered a client with the provider all client registration information can be specified:

client_info = {
    'client_id': 'cl41ekfb9j',
    'client_secret': 'm1C659wLipXfUUR50jlZ',

}
auth = OIDCAuthentication(client_registration_info=client_info)

Note: The redirect URIs registered with the provider MUST include <application_url>/redirect_uri, where <application_url> is the URL for the Flask application.

Session refresh

If your OpenID Connect provider supports the prompt=none parameter, the library can automatically support session refresh on your behalf. This ensures that the user session attributes (OIDC claims, user being active, etc.) are valid and up-to-date without having to log the user out and back in. To use the feature simply pass the parameter requesting the session refresh interval as such:

client_info = {
    'client_id': 'cl41ekfb9j',
    'client_secret': 'm1C659wLipXfUUR50jlZ',
    'session_refresh_interval_seconds': 900

}
auth = OIDCAuthentication(client_registration_info=client_info)

**Note: The client will still be logged out at whichever expiration time you set for the Flask session.

Dynamic client registration

If no client_id is specified in the client_registration_info constructor parameter, the library will try to dynamically register a client with the specified provider.

Protect an endpoint by authentication

To add authentication to one of your endpoints use the oidc_auth decorator:

import flask
from flask import Flask, jsonify

app = Flask(__name__)

@app.route('/')
@auth.oidc_auth
def index():
    return jsonify(id_token=flask.session['id_token'], access_token=flask.session['access_token'],
                   userinfo=flask.session['userinfo'])

This extension will place three things in the session if they are received from the provider:

User logout

To support user logout use the oidc_logout decorator:

@app.route('/logout')
@auth.oidc_logout
def logout():
    return 'You\'ve been successfully logged out!'

This extension also supports RP-Initiated Logout, if the provider allows it.

Specify the error view

If an OAuth error response is received, either in the authentication or token response, it will be passed to the specified error view. An error view is specified by using the error_view decorator:

from flask import jsonify

@auth.error_view
def error(error=None, error_description=None):
 return jsonify({'error': error, 'message': error_description})

The function specified as the error view MUST accept two parameters, error and error_description, which corresponds to the OIDC/OAuth error parameters.

If no error view is specified a generic error message will be displayed to the user.

Configuration

The application using this extension MUST set the following builtin configuration values of Flask:

  • SERVER_NAME (MUST be the same as <flask_url> if using static client registration)
  • SECRET_KEY (this extension relies on Flask sessions, which requires SECRET_KEY)

You may also configure the way Flask sessions handles the user session:

  • PERMANENT_SESSION (added by this extension; makes the session cookie expire after a configurable length of time instead of being tied to the browser session)
  • PERMANENT_SESSION_LIFETIME (the lifetime of a permanent session)

See the Flask documentation for an exhaustive list of configuration options.

Example

Have a look at the example Flask app in app.py for an idea of how to use it.

About

Flask extension for using pyoidc as authentication for Flask apps.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

10 tags

Packages

No packages published

Languages

  • Python 100.0%